diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..addfb5d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,45 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+build/
+dist/
+wheels/
+*.egg-info/
+*.egg
+
+# Virtual environments
+.venv/
+venv/
+ENV/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Jupyter
+.ipynb_checkpoints/
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+
+# Type checking
+.mypy_cache/
+
+# Environment variables
+.env
+.env.*
+
+# OS
+.DS_Store
+Thumbs.db
diff --git a/compose_files/Caddyfile b/compose_files/Caddyfile
new file mode 100644
index 0000000..83f25c1
--- /dev/null
+++ b/compose_files/Caddyfile
@@ -0,0 +1,28 @@
+# Caddyfile
+# Place this at /etc/caddy/Caddyfile on the caddy instance.
+# Caddy will automatically obtain and renew TLS certificates via Let's Encrypt.
+
+# erda-reader
+reader.erdaverse.com {
+    handle /api/* {
+        reverse_proxy erda-reader-backend:8000
+    }
+    handle {
+        reverse_proxy erda-reader-frontend:3000
+    }
+}
+
+# FusionAuth
+auth.erdaverse.com {
+    reverse_proxy fusionauth:9011
+}
+
+# n8n
+n8n.erdaverse.com {
+    reverse_proxy n8n:5678
+}
+
+# NATS WebSocket
+nats.erdaverse.com {
+    reverse_proxy nats:8080
+}
diff --git a/compose_files/caddy.yml b/compose_files/caddy.yml
new file mode 100644
index 0000000..7cc62d7
--- /dev/null
+++ b/compose_files/caddy.yml
@@ -0,0 +1,39 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c caddy.yml caddy
+#
+# Runs on: CADDY_INSTANCE (ip-10-0-1-168)
+# Caddy handles TLS automatically via Let's Encrypt.
+# Reverse proxies all public subdomains to the correct services on erda-net.
+# Caddyfile is bind mounted from the host — edit /etc/caddy/Caddyfile on the caddy instance.
+
+services:
+  caddy:
+    image: caddy:latest
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /etc/caddy/Caddyfile:/etc/caddy/Caddyfile
+      - caddy_data:/data
+      - caddy_config:/config
+    networks:
+      - erda-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == ip-10-0-1-168
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  caddy_data:
+  caddy_config:
+
+networks:
+  erda-net:
+    external: true
diff --git a/compose_files/files.zip b/compose_files/files.zip
new file mode 100644
index 0000000..bf5fb4b
Binary files /dev/null and b/compose_files/files.zip differ
diff --git a/compose_files/fusionauth.yml b/compose_files/fusionauth.yml
new file mode 100644
index 0000000..d44a921
--- /dev/null
+++ b/compose_files/fusionauth.yml
@@ -0,0 +1,39 @@
+version: '3.8'
+
+# Deploy with:
+#   export POSTGRES_PASSWORD='...' FUSIONAUTH_DB_PASSWORD='...'
+#   sudo -E docker stack deploy -c fusionauth.yml fusionauth
+#
+# Passwords sourced from AWS Secrets Manager (swarm_infra_secrets)
+#
+# Runs on: CADDY_INSTANCE (ip-10-0-1-168)
+# FusionAuth is Java-based and memory hungry — deployed on caddy node (t3.large, 8GB)
+# Accessible publicly via Caddy reverse proxy at auth.erdaverse.com
+
+services:
+  fusionauth:
+    image: fusionauth/fusionauth-app:latest
+    environment:
+      DATABASE_URL: jdbc:postgresql://postgres:5432/fusionauth_db
+      DATABASE_ROOT_USERNAME: postgres
+      DATABASE_ROOT_PASSWORD: ${POSTGRES_PASSWORD}
+      DATABASE_USERNAME: fusionauth_user
+      DATABASE_PASSWORD: ${FUSIONAUTH_DB_PASSWORD}
+      FUSIONAUTH_APP_MEMORY: 512M
+      FUSIONAUTH_APP_RUNTIME_MODE: production
+      SEARCH_TYPE: database
+    networks:
+      - erda-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == ip-10-0-1-168
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+networks:
+  erda-net:
+    external: true
diff --git a/compose_files/n8n.yml b/compose_files/n8n.yml
new file mode 100644
index 0000000..faf0b70
--- /dev/null
+++ b/compose_files/n8n.yml
@@ -0,0 +1,55 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c n8n.yml n8n
+#
+# Runs on: CADDY_INSTANCE (ip-10-0-1-168)
+# Accessible publicly via Caddy reverse proxy at n8n.erdaverse.com
+
+services:
+  n8n:
+    image: n8nio/n8n:latest
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        export DB_POSTGRESDB_PASSWORD=$(cat /run/secrets/n8n_db_password)
+        exec n8n
+    environment:
+      DB_TYPE: postgresdb
+      DB_POSTGRESDB_HOST: postgres
+      DB_POSTGRESDB_PORT: 5432
+      DB_POSTGRESDB_DATABASE: n8n_db
+      DB_POSTGRESDB_USER: n8n_user
+      N8N_HOST: n8n.erdaverse.com
+      N8N_PORT: 5678
+      N8N_PROTOCOL: https
+      WEBHOOK_URL: https://n8n.erdaverse.com
+      GENERIC_TIMEZONE: UTC
+      NODES_EXCLUDE: "[]"
+    secrets:
+      - n8n_db_password
+    volumes:
+      - n8n_data:/home/node/.n8n
+    networks:
+      - erda-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == ip-10-0-1-168
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+secrets:
+  n8n_db_password:
+    external: true
+
+volumes:
+  n8n_data:
+
+networks:
+  erda-net:
+    external: true
diff --git a/compose_files/nats.conf b/compose_files/nats.conf
new file mode 100644
index 0000000..5dfa965
--- /dev/null
+++ b/compose_files/nats.conf
@@ -0,0 +1,15 @@
+listen: 0.0.0.0:4222
+
+jetstream {
+  store_dir: /data
+}
+
+websocket {
+  listen: "0.0.0.0:8080"
+  no_tls: true
+  authorization {
+    token: "LKD0knyFLTBpxW9Tq9eTgLiTYJOzNlyxAHLLb3Th"
+  }
+}
+
+http: 0.0.0.0:8222
diff --git a/compose_files/nats.yml b/compose_files/nats.yml
new file mode 100644
index 0000000..8000b58
--- /dev/null
+++ b/compose_files/nats.yml
@@ -0,0 +1,33 @@
+version: "3.8"
+
+services:
+  nats:
+    image: nats:latest
+    command: ["-c", "/etc/nats/nats.conf"]
+    configs:
+      - source: nats_conf
+        target: /etc/nats/nats.conf
+    volumes:
+      - nats_data:/data
+    networks:
+      - erda-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == ip-10-0-1-168
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+configs:
+  nats_conf:
+    file: ./nats.conf
+
+volumes:
+  nats_data:
+
+networks:
+  erda-net:
+    external: true
diff --git a/compose_files/postgres-init/01-init.sh b/compose_files/postgres-init/01-init.sh
new file mode 100755
index 0000000..65030c2
--- /dev/null
+++ b/compose_files/postgres-init/01-init.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+FUSIONAUTH_PASS=$(cat /run/secrets/fusionauth_db_password)
+N8N_PASS=$(cat /run/secrets/n8n_db_password)
+APP_PASS=$(cat /run/secrets/app_db_password)
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+    CREATE USER fusionauth_user WITH PASSWORD '$FUSIONAUTH_PASS';
+    CREATE DATABASE fusionauth_db OWNER fusionauth_user;
+    GRANT ALL PRIVILEGES ON DATABASE fusionauth_db TO fusionauth_user;
+
+    CREATE USER n8n_user WITH PASSWORD '$N8N_PASS';
+    CREATE DATABASE n8n_db OWNER n8n_user;
+    GRANT ALL PRIVILEGES ON DATABASE n8n_db TO n8n_user;
+
+    CREATE USER erda_reader_user WITH PASSWORD '$APP_PASS';
+    CREATE DATABASE erda_reader_db OWNER erda_reader_user;
+    GRANT ALL PRIVILEGES ON DATABASE erda_reader_db TO erda_reader_user;
+EOSQL
diff --git a/compose_files/postgres.yml b/compose_files/postgres.yml
new file mode 100644
index 0000000..8b8b73d
--- /dev/null
+++ b/compose_files/postgres.yml
@@ -0,0 +1,44 @@
+version: '3.8'
+
+services:
+  postgres:
+    image: postgres:16
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+      - /etc/postgres-init:/docker-entrypoint-initdb.d
+    networks:
+      - erda-net
+    secrets:
+      - postgres_password
+      - fusionauth_db_password
+      - n8n_db_password
+      - app_db_password
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == ip-10-0-1-173
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  postgres_data:
+
+networks:
+  erda-net:
+    external: true
+
+secrets:
+  postgres_password:
+    external: true
+  fusionauth_db_password:
+    external: true
+  n8n_db_password:
+    external: true
+  app_db_password:
+    external: true
diff --git a/proxmox/post_init_node.org b/proxmox/post_init_node.org
new file mode 100644
index 0000000..1934e09
--- /dev/null
+++ b/proxmox/post_init_node.org
@@ -0,0 +1,5 @@
+* commands to run after
+echo "deb http://download.proxmox.com/debian/pve trixie pve-no-subscription" > /etc/apt/sources.list.d/pve-no-subscription.list
+mv /etc/apt/sources.list.d/pve-enterprise.sources /etc/apt/sources.list.d/pve-enterprise.sources.disabled
+mv /etc/apt/sources.list.d/ceph.sources /etc/apt/sources.list.d/ceph.sources.disabled
+echo "deb http://download.proxmox.com/debian/ceph-squid trixie no-subscription" > /etc/apt/sources.list.d/ceph-no-subscription.list